Threat Watch

Malicious Npm Package Stealing Discord Credentials and Browser Data

ZDNet reported that researchers at Sonatype discovered a malicious JavaScript library recently published on the node package manager (npmjs.com) website that steals sensitive files and credentials from various web browsers and the Discord client. The package discord.dll will steal the LevelDB databases that the browsers used to store the history as well as access tokens used for various sites. Sonatype notes that this is an improvement upon the fallguys library that was seen in August. At the time of this writing, the package has been listed as malicious by Npm and replaced by a security holder.

ANALYST NOTES

With the disparate package managers currently available to users compared to 5 to 10 years ago, this type of incident will more than likely occur again in the future. Mitigating threats such as these are difficult, but a good place for companies to start is by educating its software developers about the importance of thoroughly vetting third party code and libraries available on public repositories. Just because a package is hosted on npm, it does not mean that it is safe to use. Also, use care when integrating even a well-known package to avoid installing similarly named malicious packages. If auditing dependencies in its codebase is not part of a company’s current processes, this is a good reason to start.

References:

https://www.npmjs.com/package/discord.dll

https://www.zdnet.com/article/npm-package-caught-stealing-sensitive-discord-and-browser-files/